Canonical SSO provider

Merge lp:~maxiberta/canonical-identity-provider/readonly-improvements into lp:canonical-identity-provider/release

readonly-improvements
Merge into trunk

Proposed by Maximiliano Bertacchini on 2019-10-17

Status:	Merged
Approved by:	Maximiliano Bertacchini on 2019-10-22
Approved revision:	no longer in the source branch.
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	lp:~maxiberta/canonical-identity-provider/readonly-improvements
Merge into:	lp:canonical-identity-provider/release
Diff against target:	1396 lines (+170/-738) 19 files modified django_project/settings_base.py (+0/-2) src/identityprovider/management/commands/readonly.py (+11/-49) src/identityprovider/readonly.py (+1/-92) src/identityprovider/templates/admin/readonly.html (+0/-66) src/identityprovider/templates/admin/readonly.txt (+0/-8) src/identityprovider/templates/admin/readonly_confirm.html (+0/-70) src/identityprovider/tests/test_auth.py (+4/-8) src/identityprovider/tests/test_command_readonly.py (+3/-52) src/identityprovider/tests/test_models_account.py (+5/-10) src/identityprovider/tests/test_models_openidmodels.py (+5/-14) src/identityprovider/tests/test_readonly.py (+2/-253) src/identityprovider/tests/test_signals.py (+10/-19) src/identityprovider/tests/utils.py (+13/-1) src/identityprovider/urls.py (+0/-12) src/identityprovider/views/readonly.py (+0/-64) src/webui/tests/test_templates.py (+3/-6) src/webui/tests/test_views_account.py (+64/-3) src/webui/tests/test_views_registration.py (+32/-2) src/webui/tests/test_views_ui.py (+17/-7)
To merge this branch:	bzr merge lp:~maxiberta/canonical-identity-provider/readonly-improvements
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Natalia Bidart (community)		Approve on 2019-10-22
Daniel Manrique (community)	2019-10-17	Approve on 2019-10-18
Review via email: mp+374313@code.launchpad.net

Commit message

Readonly cleanup: drop API for remote management of readonly flag (now handled via juju); simplify the 'readonly' management command.

Description of the change

Adds a number of tests around readonly mode that were missing.

Additionally, fix/workaround the readonly management command which was basically broken due to django's arg parser prefix matching "--set" to "--settings", which resulted in `manage readonly --set` crashing with AttributeError. This command is now intended for local development only (`manage readonly [set|clear]`).

Revision history for this message

Daniel Manrique (roadmr) wrote on 2019-10-18:

LGTM, maybe worth checking with Natalia to see if she can spot any remaining needs for that remote readonly API, but it definitely seems redundand in the Juju world which can go into each unit and run the command for us (fwiw other tools such as ansible could also do this so definitely an API for this feels overkill).

review: Approve

Revision history for this message

Natalia Bidart (nataliabidart) wrote on 2019-10-22:

Looks great, thanks for the added tests.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'django_project/settings_base.py'
 --- django_project/settings_base.py	2019-09-25 20:39:50 +0000
 +++ django_project/settings_base.py	2019-10-22 14:04:10 +0000
@@ -41,7 +41,6 @@
      API_HOST += ':%s' % parsed_url.port
  API_URL = '/api/v2'
  APPEND_SLASH = True
--APP_SERVERS = []
  AUTHENTICATION_BACKENDS = [
      'identityprovider.auth.LaunchpadBackend',
      # restore ModelBackend until admin login gets properly fixed
@@ -480,7 +479,6 @@
          'canonical_raven.processors.SanitizeTimelineDjangoProcessor',
      ],
+ }
--READONLY_SECRET = 'CHANGEME'
  READ_ONLY_MODE = False
  ROOT_URLCONF = 'django_project.urls'
  SAML2IDP_CONFIG = {
 === modified file 'src/identityprovider/management/commands/readonly.py'
 --- src/identityprovider/management/commands/readonly.py	2018-01-29 01:46:19 +0000
 +++ src/identityprovider/management/commands/readonly.py	2019-10-22 14:04:10 +0000
@@ -1,66 +1,28 @@
--# Copyright 2010-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  from __future__ import print_function
--from django.conf import settings
  from django.core.management.base import BaseCommand, CommandError
--from django.template import loader
--from identityprovider.readonly import get_server_atts, update_server
++from identityprovider.readonly import ReadOnlyManager
  class Command(BaseCommand):
      help = ('Manage readonly mode.\n\n'
--            'options --set and --clear are all mutually exclusive.\n'
++            'Actions "set" and "clear" are all mutually exclusive.\n'
              'You can only choose one at a time.')
      def add_arguments(self, parser):
--        parser.add_argument(
--            '--list', action='store_true', dest='list_servers', default=False,
--            help='List available application servers.')
--        parser.add_argument(
--            '--all', action='store_true', dest='all_servers',
--            default=False, help='Select all servers.')
--        parser.add_argument(
--            '--set', action='store_const', const='set',
--            dest='action', help='Set server to read-only.')
--        parser.add_argument(
--            '--clear', action='store_const', const='clear',
--            dest='action', help='Set server to read-write.')
--        parser.add_argument('servers', metavar='server', nargs='*')
++        parser.add_argument('action', help='One of "set" or "clear".')
      def handle(self, *args, **options):
--        servers = options.get('servers')
--        list_servers = options.get('list_servers')
--        all_servers = options.get('all_servers')
--        action = options.get('action')
--
--        # determine servers to act upon
--        if all_servers:
--            servers = [app['SERVER_ID'] for app in settings.APP_SERVERS]
--            servers.sort()
++        if options['action'] == 'set':
++            ReadOnlyManager().set_readonly()
++            self.stdout.write('Readonly mode set')
++        elif options['action'] == 'clear':
++            ReadOnlyManager().clear_readonly()
++            self.stdout.write('Readonly mode cleared')
          else:
--            msgs = (
--                'Enter at least one server, or specify the --all option.',
--                'Use --list to get a list of configured servers.',
--            )
--            if not servers and not list_servers:
--                raise CommandError('\n  '.join(msgs))
--
--        # determine action to perform
--        if action is not None:
--            for server in servers:
--                update_server(action, server)
--        elif not list_servers:
--            msg = 'Enter one of --set or --clear.'
++            msg = 'Enter one of "set" or "clear".'
              raise CommandError(msg)
--
--        # list action is special as it can be combined with the other actions
--        if list_servers:
--            self.show_servers()
--
--    def show_servers(self):
--        """Provides a report about readonly status of all app servers."""
--        atts = get_server_atts(settings.APP_SERVERS)
--        print(loader.render_to_string('admin/readonly.txt', atts))
 === modified file 'src/identityprovider/readonly.py'
 --- src/identityprovider/readonly.py	2018-01-28 12:43:01 +0000
 +++ src/identityprovider/readonly.py	2019-10-22 14:04:10 +0000
@@ -1,11 +1,9 @@
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
--import json
  import os
  import stat
--import requests
  from django.conf import settings
  # When a request arrives, the middleware will:
@@ -31,95 +29,6 @@
  #   automatic=True, as they manage manual overrides.
--def _remote_req(host, port=None, scheme=None, server_id=None,
--                virtual_host=None, post=None):
--    """Makes a request to a specific appserver.
--
--    The first five arguments are the same as the keys for each dictionary in
--    the APP_SERVERS setting:
--
--    * host: The host at which we can reach the app server (can be an IP)
--    * port: The port that should be used (optional)
--    * scheme: The scheme to use to contact this app server (http/https)
--              (defaults to http)
--    * server_id: Some canonical name for this app server (optional)
--    * virtual_host: The virtual host that should be used, for app servers that
--                    serve multiple sites (optional).
--
--    If post is provided, it should be a sequence of 2-tuples that will be
--    encoded in to POST data.
--    """
--    if post is None:
--        post = []
--    post.append(('secret', settings.READONLY_SECRET))
--
--    if scheme is None:
--        scheme = 'http'
--    if port is None:
--        portstr = ''
--    else:
--        portstr = ':' + port
--    url = '%s://%s%s/readonlydata' % (scheme, host, portstr)
--    headers = {}
--    if virtual_host is not None:
--        headers['Host'] = virtual_host
--    try:
--        response = requests.post(url, headers=headers, data=post, timeout=5)
--        data = response.content
--    except requests.RequestException:
--        data = None
--    return data
--
--
--def lowercase_keys(dicts):
--    """ Convert all keys in a list of dicts to lowercase. """
--    return [dict((k.lower(), v) for (k, v) in d.items()) for d in dicts]
--
--
--def get_server_atts(servers):
--    """Provides a report about readonly status of all app servers."""
--    appservers = []
--    set_all_readonly = False
--    clear_all_readonly = False
--    for server in lowercase_keys(servers):
--        datastr = _remote_req(**server)
--        if datastr is None:
--            data = {'reachable': False}
--        else:
--            try:
--                data = json.loads(datastr)
--            except ValueError:
--                # This is probably caused by the remote database being out
--                # of sync with our current database
--                data = {'reachable': False}
--            else:
--                data['reachable'] = True
--            if data.get('readonly'):
--                clear_all_readonly = True
--            else:
--                set_all_readonly = True
--        data['name'] = server['server_id']
--        appservers.append(data)
--    atts = {
--        'appservers': appservers,
--        'clear_all_readonly': clear_all_readonly,
--        'set_all_readonly': set_all_readonly,
--    }
--    return atts
--
--
--def update_server(action, appserver=None):
--    if appserver is None:
--        appservers = settings.APP_SERVERS
--    else:
--        appservers = [server for server in settings.APP_SERVERS
--                      if server['SERVER_ID'] == appserver]
--    appservers = lowercase_keys(appservers)
--    for server in appservers:
--        post = [('action', action)]
--        _remote_req(post=post, **server)
--
--
  class ReadOnlyManager(object):
      @property
 === removed file 'src/identityprovider/templates/admin/readonly.html'
 --- src/identityprovider/templates/admin/readonly.html	2013-06-20 15:37:44 +0000
 +++ src/identityprovider/templates/admin/readonly.html	1970-01-01 00:00:00 +0000
@@ -1,66 +0,0 @@
--{% extends "admin/index.html" %}
--{% load i18n staticfiles %}
--
--{% comment %}
--Copyright 2010 Canonical Ltd.  This software is licensed under the
--GNU Affero General Public License version 3 (see the file  LICENSE).
--{% endcomment %}
--
--{% block breadcrumbs %}
--<div class="breadcrumbs"><a href="/admin/">
--{% trans "Home" %}</a> &rsaquo;
--<a href="/admin/identityprovider/">Identityprovider</a> &rsaquo;
--{% trans "Readonly Admin" %}
--</div>
--{% endblock %}
--
--{% block content %}
--<div id="content-main">
--    <h1>{% trans "Readonly status per application server" %}</h1>
--    {% for server in appservers %}
--        <div class="module">
--        <table summary="DB connection on {{server.name}}.">
--        <caption>{{server.name}}</caption>
--        <tr><th scope="row">
--            {{server.state}}
--{% if server.reachable %}
--    {% if server.readonly %}{% trans "In readonly mode" %}<ul>
--         <li>{% trans "Manually disabled" %}</li>
--        </ul>
--        </th>
--        <td>
--            <a href="/readonly/{{server.name}}/clear/" class="addlink">
--                {% trans "Leave readonly" %}
--            </a>
--        </td>
--    {% else %}
--        {% trans "Operating normally" %}
--        </th>
--        <td>
--            <a href="/readonly/{{server.name}}/set/" class="deletelink">
--                {% trans "Set readonly" %}
--            </a>
--        </td>
--    {% endif %}
--    {% else %}{% trans "Server is unreachable or out of sync" %}
--        </th><td></td>
--    {% endif %}
--    </tr>
--        </table>
--        </div>
--    {% endfor %}
--    {% if clear_all_readonly %}<p>
--                <a href="/readonly/clear/" class="addlink">
--                    {% trans "Leave readonly on all appservers" %}
--                </a>
--    </p>{% endif %}
--    {% if set_all_readonly %}<p>
--                <a href="/readonly/set/" class="deletelink">
--                    {% trans "Set readonly on all appservers" %}
--                </a>
--    </p>{% endif %}
--</div>
--
--{% endblock %}
--
--{% block sidebar %}{% endblock %}
 === removed file 'src/identityprovider/templates/admin/readonly.txt'
 --- src/identityprovider/templates/admin/readonly.txt	2013-06-21 11:31:17 +0000
 +++ src/identityprovider/templates/admin/readonly.txt	1970-01-01 00:00:00 +0000
@@ -1,8 +0,0 @@
--{% comment %}
--Copyright 2010 Canonical Ltd.  This software is licensed under the
--GNU Affero General Public License version 3 (see the file LICENSE).
--
--{% endcomment %}Readonly status per application server
---------------------------------------------------------------------------------
--{% for server in appservers %}
-- {{server.name}} -- {% if server.reachable %}{% if server.readonly %}In readonly mode{% else %}Operating normally{% endif %}{% else %}Server is unreachable or out of sync{% endif %}{% endfor %}
 === removed file 'src/identityprovider/templates/admin/readonly_confirm.html'
 --- src/identityprovider/templates/admin/readonly_confirm.html	2013-06-20 15:41:21 +0000
 +++ src/identityprovider/templates/admin/readonly_confirm.html	1970-01-01 00:00:00 +0000
@@ -1,70 +0,0 @@
--{% extends "admin/index.html" %}
--{% load i18n %}
--
--{% comment %}
--Copyright 2010 Canonical Ltd.  This software is licensed under the
--GNU Affero General Public License version 3 (see the file  LICENSE).
--{% endcomment %}
--
--{% block breadcrumbs %}
--<div class="breadcrumbs"><a href="/admin/">
--{% trans "Home" %}</a> &rsaquo;
--<a href="/admin/identityprovider/">Identityprovider</a> &rsaquo;
--<a href="/readonly">{% trans "Readonly Admin" %}</a> &rsaquo;
--{% trans "Confirm" %}
--</div>
--{% endblock %}
--
--{% block content %}
--<pre>{{ appservers }}</pre>
--<div id="content" class="colM">
--    <h1>{% trans "Are you sure?" %}</h1>
--    {% if appserver %}
--    <div class="system-message">
--    <p class="system-message-title">
--    {% blocktrans %}You're not operating on all appservers{% endblocktrans %}
--    </p>
--    <p>
--    {% blocktrans %}Changing readonly mode on a single application server can lead to inconsistent states and unexpected behaviour.{% endblocktrans %}
--    </p>
--    </div>
--    {% else %}
--    {% ifequal action "clear" %}
--    <div class="system-message">
--    <p class="system-message-title">
--    {% blocktrans %}Make sure the master database connection is enabled on all app servers <b>before</b> leaving readonly mode!{% endblocktrans %}
--    </p>
--    </div>
--    {% endifequal %}
--    {% endif %}
--
--    <p>
--    {% if action == "set" %}
--        {% if appserver %}
--            {% blocktrans %}You are about to enable readonly mode on appserver <b>{{ appserver }}</b>.{% endblocktrans %}
--        {% else %}
--            {% blocktrans %}You are about to enable readonly mode globally.{% endblocktrans %}</p><p>
--            {% blocktrans %}All appservers will be passed to read-only mode if you confirm.{% endblocktrans %}
--        {% endif %}
--    {% elif action == "clear" %}
--        {% if appserver %}
--            {% blocktrans %}You are about to clear readonly mode on appserver <b>{{ appserver }}</b>.{% endblocktrans %}</p><p>
--            {% blocktrans %}If you confirm, <b>{{ appserver }}</b> will attempt to resume normal operation with its master database connection.{% endblocktrans %}</p>
--        {% else %}
--            {% blocktrans %}You are about to clear readonly mode globally.{% endblocktrans %}</p><p>
--            {% blocktrans %}If you confirm, all appservers will attempt to resume normal operation.{% endblocktrans %}
--        {% endif %}
--    {% endif %}
--    </p>
--    <form method="POST" action="">
--		{% csrf_token %}
--        <input type="hidden" name="action" value="{{action}}" />
--        <input type="hidden" name="appserver" value="{{appserver}}" />
--        <input type="submit" value="{% trans "Yes, I'm sure" %}" />
--        {% trans "or" %} <a href="/readonly">{% trans "Cancel" %}</a>
--    </form>
--</div>
--
--{% endblock %}
--
--{% block sidebar %}{% endblock %}
 === modified file 'src/identityprovider/tests/test_auth.py'
 --- src/identityprovider/tests/test_auth.py	2018-11-29 12:02:42 +0000
 +++ src/identityprovider/tests/test_auth.py	2019-10-22 14:04:10 +0000
@@ -50,9 +50,8 @@
      EmailStatus,
      TokenScope,
+ )
--from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_API_PASSWORD, DEFAULT_USER_PASSWORD
--from identityprovider.tests.utils import SSOBaseTestCase
++from identityprovider.tests.utils import SSOBaseTestCase, readonly_enabled
  from identityprovider.utils import (
      encrypt_launchpad_password,
      get_cypher_migration_status,
@@ -350,12 +349,9 @@
          assert leak.password != self.account.encrypted_password
          last_leak_check = self.account.accountpassword.last_leak_check
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        account = self.backend.authenticate(
--            None, self.email, DEFAULT_USER_PASSWORD)
++        with readonly_enabled():
++            account = self.backend.authenticate(
++                None, self.email, DEFAULT_USER_PASSWORD)
          # verify account was NOT flagged for password reset
          self.assertFalse(account.need_password_reset)
          # Verify the last_leak_check was NOT updated
 === modified file 'src/identityprovider/tests/test_command_readonly.py'
 --- src/identityprovider/tests/test_command_readonly.py	2018-02-09 20:56:16 +0000
 +++ src/identityprovider/tests/test_command_readonly.py	2019-10-22 14:04:10 +0000
@@ -1,4 +1,4 @@
--# Copyright 2010-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  import shutil
@@ -7,13 +7,7 @@
  import tempfile
  from django.conf import settings
--from django.core.handlers.wsgi import WSGIHandler
  from django.core.management import CommandError, call_command
--from wsgi_intercept import (
--    add_wsgi_intercept,
--    remove_wsgi_intercept,
--    requests_intercept,
--)
  from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests.utils import SSOBaseTestCase
@@ -31,64 +25,21 @@
          self.patch(sys, 'stdout', new=StringIO.StringIO())
          self.patch(sys, 'stderr', new=StringIO.StringIO())
--        self.servers = [
--            {'SERVER_ID': 'localhost', 'HOST': 'localhost', 'PORT': '8000'},
--            {'SERVER_ID': 'otherhost', 'HOST': 'localhost', 'PORT': '8001'},
--        ]
--        _APP_SERVERS = settings.APP_SERVERS
--        settings.APP_SERVERS = self.servers
--        self.addCleanup(setattr, settings, 'APP_SERVERS', _APP_SERVERS)
--
          _DBFAILOVER_FLAG_DIR = getattr(settings, 'DBFAILOVER_FLAG_DIR', None)
          settings.DBFAILOVER_FLAG_DIR = tempfile.mkdtemp()
          self.addCleanup(shutil.rmtree, settings.DBFAILOVER_FLAG_DIR, True)
          self.addCleanup(setattr, settings, 'DBFAILOVER_FLAG_DIR',
                          _DBFAILOVER_FLAG_DIR)
--        # setup wsgi intercept mechanism to simulate wsgi server
--        self.unset_env('http_proxy')
--        self.unset_env('https_proxy')
--        requests_intercept.install()
--        self.addCleanup(requests_intercept.uninstall)
--        for server in self.servers:
--            add_wsgi_intercept(server['HOST'], int(server['PORT']),
--                               WSGIHandler)
--            self.addCleanup(remove_wsgi_intercept,
--                            server['HOST'], int(server['PORT']))
--
--    def get_status(self):
--        call_command('readonly', list_servers=True)
--        sys.stdout.seek(0)
--        output = sys.stdout.read()
--        return output
--
      def test_readonly(self):
          self.assertRaises(CommandError, call_command, 'readonly')
--    def test_readonly_list_all(self):
--        output = self.get_status()
--        self.assertTrue(self.servers[0]['SERVER_ID'] in output)
--
      def test_readonly_set(self):
--        call_command('readonly', self.servers[0]['SERVER_ID'], action='set')
++        call_command('readonly', 'set')
          self.rm.check_readonly()
          self.assertTrue(settings.READ_ONLY_MODE)
      def test_readonly_clear(self):
--        call_command('readonly', self.servers[0]['SERVER_ID'], action='clear')
++        call_command('readonly', 'clear')
          self.rm.check_readonly()
          self.assertFalse(settings.READ_ONLY_MODE)
--
--    def test_readonly_set_all(self):
--        call_command('readonly', action='set', all_servers=True)
--        output = self.get_status()
--        for server in settings.APP_SERVERS:
--            expected = "%s -- In readonly mode" % server['SERVER_ID']
--            self.assertTrue(expected in output)
--
--    def test_readonly_clear_all(self):
--        call_command('readonly', action='clear', all_servers=True)
--        output = self.get_status()
--        for server in settings.APP_SERVERS:
--            expected = "%s -- Operating normally" % server['SERVER_ID']
--            self.assertTrue(expected in output)
 === modified file 'src/identityprovider/tests/test_models_account.py'
 --- src/identityprovider/tests/test_models_account.py	2018-02-14 14:05:59 +0000
 +++ src/identityprovider/tests/test_models_account.py	2019-10-22 14:04:10 +0000
@@ -36,9 +36,8 @@
      TokenScope,
+ )
  from identityprovider.models.emailaddress import EmailAddress
--from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_USER_PASSWORD
--from identityprovider.tests.utils import SSOBaseTestCase
++from identityprovider.tests.utils import SSOBaseTestCase, readonly_enabled
  from identityprovider.views.testing import MockLaunchpad
@@ -307,16 +306,14 @@
          self.assertTrue(account.last_login is not None)
      def test_set_last_login_when_readonly(self):
--        readonly_manager = ReadOnlyManager()
          account = self.factory.make_account()
          account.last_login = last_login = datetime(2010, 01, 01)
          self.assertEqual(account.last_login, last_login)
          assert not settings.READ_ONLY_MODE
--        readonly_manager.set_readonly()
--        self.addCleanup(readonly_manager.clear_readonly)
--        account.last_login = the_now = now()
++        with readonly_enabled():
++            account.last_login = the_now = now()
          self.assertEqual(account.last_login, last_login)
          self.assertNotEqual(account.last_login, the_now)
@@ -515,15 +512,13 @@
          self.assertEqual(account_password.password, 'invalid')
      def test_save_when_readonly(self):
--        readonly_manager = ReadOnlyManager()
          account = self.factory.make_account()
          assert account.status == AccountStatus.ACTIVE
          assert not settings.READ_ONLY_MODE
--        readonly_manager.set_readonly()
--        self.addCleanup(readonly_manager.clear_readonly)
--        account.suspend()
++        with readonly_enabled():
++            account.suspend()
          # refresh account from db
          account = Account.objects.get(id=account.id)
          self.assertEqual(account.status, AccountStatus.ACTIVE)
 === modified file 'src/identityprovider/tests/test_models_openidmodels.py'
 --- src/identityprovider/tests/test_models_openidmodels.py	2018-02-09 20:56:16 +0000
 +++ src/identityprovider/tests/test_models_openidmodels.py	2019-10-22 14:04:10 +0000
@@ -19,8 +19,7 @@
      OpenIDRPConfig,
      OpenIDRPSummary,
+ )
--from identityprovider.readonly import ReadOnlyManager
--from identityprovider.tests.utils import SSOBaseTestCase
++from identityprovider.tests.utils import SSOBaseTestCase, readonly_enabled
  class DjangoOpenIDStoreTestCase(SSOBaseTestCase):
@@ -192,13 +191,10 @@
              trust_root=self.trust_root)
      def test_authorize_when_readonly(self):
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
          expires = now()
--        OpenIDAuthorization.objects.authorize(self.account, self.trust_root,
--                                              expires)
++        with readonly_enabled():
++            OpenIDAuthorization.objects.authorize(
++                self.account, self.trust_root, expires)
          self.assertRaises(
              OpenIDAuthorization.DoesNotExist,
              OpenIDAuthorization.objects.get, account=self.account,
@@ -273,10 +269,7 @@
          return summary
      def test_record_when_readonly(self):
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--
--        try:
++        with readonly_enabled():
              summary = OpenIDRPSummary.objects.record(
                  self.account, self.trust_root, self.openid_identity_url)
              self.assertEqual(summary, None)
@@ -284,8 +277,6 @@
                  OpenIDRPSummary.DoesNotExist,
                  OpenIDRPSummary.objects.get, account=self.account,
                  trust_root=self.trust_root, openid_identifier=None)
--        finally:
--            rm.clear_readonly()
      def test_record_with_existing_and_no_openid_identifier(self):
          summary1 = self.create_summary()
 === modified file 'src/identityprovider/tests/test_readonly.py'
 --- src/identityprovider/tests/test_readonly.py	2018-08-15 14:28:08 +0000
 +++ src/identityprovider/tests/test_readonly.py	2019-10-22 14:04:10 +0000
@@ -1,23 +1,14 @@
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
--import json
  import os
  import shutil
  import stat
  import tempfile
--import requests
--import responses
  from django.conf import settings
--from django.urls import reverse
--from identityprovider.readonly import (
--    ReadOnlyManager,
--    _remote_req,
--    get_server_atts,
--    update_server,
--)
++from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_USER_PASSWORD
  from identityprovider.tests.utils import SSOBaseTestCase
@@ -32,7 +23,6 @@
          # readonlymode stays False
          overrides = self.settings(
              READ_ONLY_MODE=False,
--            READONLY_SECRET='testsecret',
              DBFAILOVER_FLAG_DIR=tempfile.mkdtemp(),
+         )
          overrides.enable()
@@ -42,57 +32,6 @@
          self.rm = ReadOnlyManager()
--class RemoteRequestTestCase(SSOBaseTestCase):
--    msg = 'hello'
--    host = 'myhost'
--    scheme = 'https'
--    vhost = 'http://foobar.baz'
--
--    @responses.activate
--    def test_plain_remote_req(self):
--        responses.add(
--            responses.POST, 'http://%s/readonlydata' % self.host,
--            body=self.msg)
--        server = {'host': self.host}
--        self.assertEqual(self.msg, _remote_req(**server))
--        # This tests the PreparedRequest, which is before urllib3 inserts a
--        # default Host header.
--        self.assertNotIn('Host', responses.calls[0].request.headers)
--
--    @responses.activate
--    def test_https_remote_req(self):
--        responses.add(
--            responses.POST, '%s://%s/readonlydata' % (self.scheme, self.host),
--            body=self.msg)
--        server = {'host': self.host, 'scheme': self.scheme}
--        self.assertEqual(self.msg, _remote_req(**server))
--        # This tests the PreparedRequest, which is before urllib3 inserts a
--        # default Host header.
--        self.assertNotIn('Host', responses.calls[0].request.headers)
--
--    @responses.activate
--    def test_vhost_remote_req(self):
--        responses.add(
--            responses.POST, '%s://%s/readonlydata' % (self.scheme, self.host),
--            body=self.msg)
--        server = {
--            'host': self.host,
--            'scheme': self.scheme,
--            'virtual_host': self.vhost,
--        }
--        self.assertEqual(self.msg, _remote_req(**server))
--        self.assertEqual(
--            self.vhost, responses.calls[0].request.headers['Host'])
--
--    @responses.activate
--    def test_remote_req_error(self):
--        responses.add(
--            responses.POST, 'http://%s/readonlydata' % self.host,
--            body=requests.RequestException('error'))
--        server = {'host': self.host}
--        self.assertEqual(None, _remote_req(**server))
--
--
  class ReadOnlyFlagFilesTestCase(ReadOnlyBaseTestCase):
      def test_flag_files_in_right_directory(self):
@@ -107,62 +46,6 @@
          self.assertTrue(mode & stat.S_IWGRP)
--class ReadOnlyDataTestCase(ReadOnlyBaseTestCase):
--
--    url = reverse('readonly-data')
--
--    def setUp(self):
--        super(ReadOnlyDataTestCase, self).setUp()
--        self.mock_logger = self.patch(
--            'identityprovider.views.readonly.logger')
--
--    def test_requires_post(self):
--        response = self.client.get(self.url)
--        self.assertEqual(response.status_code, 405)
--
--        response = self.client.delete(self.url)
--        self.assertEqual(response.status_code, 405)
--
--        response = self.client.put(self.url)
--        self.assertEqual(response.status_code, 405)
--
--    def test_missing_secret(self):
--        response = self.client.post(self.url)
--
--        self.assertEqual(response.status_code, 404)
--        self.mock_logger.warning.assert_called_once_with(
--            'readonly_data request received with incorrect secret %r', None)
--
--    def test_incorrect_secret(self):
--        assert len(settings.READONLY_SECRET) > 0
--        secret = settings.READONLY_SECRET * 2
--        response = self.client.post(self.url, data=dict(secret=secret))
--
--        self.assertEqual(response.status_code, 404)
--        self.mock_logger.warning.assert_called_once_with(
--            'readonly_data request received with incorrect secret %r', secret)
--
--    def test_correct_secret(self):
--        secret = settings.READONLY_SECRET
--        response = self.client.post(self.url, data=dict(secret=secret))
--
--        self.assertEqual(response.status_code, 200)
--        response = json.loads(response.content)
--        self.assertEqual(response, dict(readonly=False))
--
--    def test_readonly_set_readonly(self):
--        post = {'secret': settings.READONLY_SECRET, 'action': 'set'}
--        response = self.client.post('/readonlydata', post)
--        data = json.loads(response.content)
--        self.assertTrue(data['readonly'])
--
--    def test_readonly_clear_readonly(self):
--        post = {'secret': settings.READONLY_SECRET, 'action': 'clear'}
--        response = self.client.post('/readonlydata', post)
--        data = json.loads(response.content)
--        self.assertFalse(data['readonly'])
--
--
  class ReadOnlyViewsTestCase(ReadOnlyBaseTestCase):
      def login_with_staff(self):
@@ -171,140 +54,6 @@
          assert self.client.login(
              username=account.preferredemail.email, password='password')
--    def test_readonly_admin(self):
--        self.login_with_staff()
--
--        new_setting = [
--            {'SERVER_ID': 'localhost', 'SCHEME': 'http',
--             'HOST': 'localhost', 'VIRTUAL_HOST': '',
--             'PORT': '8000'}
--        ]
--        with self.settings(APP_SERVERS=new_setting):
--            r = self.client.get('/readonly')
--
--        self.assertTemplateUsed(r, 'admin/readonly.html')
--        expected = {'appservers': [{'name': 'localhost', 'reachable': False}],
--                    'clear_all_readonly': False,
--                    'set_all_readonly': False}
--        for item in r.context:
--            for key, value in expected.items():
--                self.assertEqual(item[key], value)
--
--    def test_get_server_atts_server_unreachable(self):
--        servers = [{'SERVER_ID': 'localhost', 'SCHEME': 'http',
--                    'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'}]
--        expected = {'appservers': [{'name': 'localhost', 'reachable': False}],
--                    'clear_all_readonly': False,
--                    'set_all_readonly': False}
--        atts = get_server_atts(servers)
--        self.assertEqual(atts, expected)
--
--    @responses.activate
--    def test_get_server_atts_data_error(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata', body='{')
--
--        servers = [{'SERVER_ID': 'localhost', 'SCHEME': 'http',
--                    'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'}]
--        expected = {'appservers': [{'name': 'localhost', 'reachable': False}],
--                    'clear_all_readonly': False,
--                    'set_all_readonly': True}
--        atts = get_server_atts(servers)
--        self.assertEqual(atts, expected)
--
--    @responses.activate
--    def test_get_server_atts_readonly(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata',
--            json={'readonly': True})
--
--        servers = [{'SERVER_ID': 'localhost', 'SCHEME': 'http',
--                    'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'}]
--        expected = {'appservers': [{'name': 'localhost', 'reachable': True,
--                                    'readonly': True}],
--                    'clear_all_readonly': True,
--                    'set_all_readonly': False}
--        atts = get_server_atts(servers)
--        self.assertEqual(atts, expected)
--
--    def test_readonly_confirm_get(self):
--        self.login_with_staff()
--
--        r = self.client.get('/readonly/localhost/set')
--        self.assertTemplateUsed(r, 'admin/readonly_confirm.html')
--        self.assertEqual(r.context['appserver'], 'localhost')
--        self.assertEqual(r.context['action'], 'set')
--
--    @responses.activate
--    def test_readonly_confirm_post(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata', json={})
--        self.login_with_staff()
--
--        new_setting = [
--            {'SERVER_ID': 'localhost', 'SCHEME': 'http',
--             'HOST': 'localhost', 'VIRTUAL_HOST': '',
--             'PORT': '8000'}
--        ]
--        with self.settings(APP_SERVERS=new_setting):
--            r = self.client.post('/readonly/localhost/set')
--        data = [call.request.body for call in responses.calls]
--        self.assertEqual(data, [
--            "action=set&secret=%s" % settings.READONLY_SECRET
--        ])
--
--        self.assertRedirects(r, '/readonly')
--
--    @responses.activate
--    def test_update_server_all_appservers(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata', json={})
--        new_setting = [
--            {'SERVER_ID': 'localhost', 'SCHEME': 'http',
--             'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'},
--            {'SERVER_ID': 'otherhost', 'SCHEME': 'http',
--             'HOST': 'otherhost', 'VIRTUAL_HOST': '', 'PORT': '8000'},
--        ]
--        with self.settings(APP_SERVERS=new_setting):
--            update_server('set')
--        data = [call.request.body for call in responses.calls]
--        self.assertEqual(data, [
--            "action=set&secret=%s" % settings.READONLY_SECRET,
--            "action=set&secret=%s" % settings.READONLY_SECRET
--        ])
--
--    @responses.activate
--    def test_update_server_one_appserver(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata', json={})
--        new_setting = [
--            {'SERVER_ID': 'localhost', 'SCHEME': 'http',
--             'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'},
--            {'SERVER_ID': 'otherhost', 'SCHEME': 'http',
--             'HOST': 'otherhost', 'VIRTUAL_HOST': '', 'PORT': '8000'},
--        ]
--        with self.settings(APP_SERVERS=new_setting):
--            update_server('set', 'localhost')
--        data = [call.request.body for call in responses.calls]
--        self.assertEqual(data, [
--            "action=set&secret=%s" % settings.READONLY_SECRET
--        ])
--
--    @responses.activate
--    def test_update_server_one_connection(self):
--        responses.add(
--            responses.POST, 'http://localhost:8000/readonlydata', json={})
--        new_setting = [
--            {'SERVER_ID': 'localhost', 'SCHEME': 'http',
--             'HOST': 'localhost', 'VIRTUAL_HOST': '', 'PORT': '8000'},
--        ]
--        with self.settings(APP_SERVERS=new_setting):
--            update_server('set', 'localhost')
--        data = [call.request.body for call in responses.calls]
--        self.assertEqual(data, [
--            "action=set&secret=%s" % settings.READONLY_SECRET,
--        ])
--
      def test_nop_db_in_readonly_mode(self):
          account = self.factory.make_account()
 === modified file 'src/identityprovider/tests/test_signals.py'
 --- src/identityprovider/tests/test_signals.py	2018-05-28 19:44:56 +0000
 +++ src/identityprovider/tests/test_signals.py	2019-10-22 14:04:10 +0000
@@ -21,7 +21,6 @@
      TokenScope,
+ )
  from identityprovider.models.emailaddress import EmailAddress
--from identityprovider.readonly import ReadOnlyManager
  from identityprovider.signals import (
      invalidate_account_oauth_tokens,
      invalidate_preferredemail,
@@ -34,7 +33,7 @@
+ )
  from identityprovider.tests import DEFAULT_USER_PASSWORD
  from identityprovider.tests.test_auth import AuthLogTestCaseMixin
--from identityprovider.tests.utils import SSOBaseTestCase
++from identityprovider.tests.utils import SSOBaseTestCase, readonly_enabled
  class SessionTokenOnLoginTestCase(SSOBaseTestCase):
@@ -107,34 +106,26 @@
              self.client.session.get(SESSION_TOKEN_KEY), token.key)
      def test_listener_read_only_mode_no_token(self):
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
++        with readonly_enabled():
++            self.client.login(
++                username=self.email, password=DEFAULT_USER_PASSWORD)
          self.assertEqual(self.account.token_set.all().count(), 0)
          self.assertEqual(self.client.session.get(SESSION_TOKEN_KEY), '')
      def test_listener_read_only_mode_previous_token_no_web_login(self):
          self.account.create_oauth_token(token_name=SESSION_TOKEN_NAME)
--
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
++        with readonly_enabled():
++            self.client.login(
++                username=self.email, password=DEFAULT_USER_PASSWORD)
          self.assertEqual(
              self.client.session.get(SESSION_TOKEN_KEY), '')
      def test_listener_read_only_mode_previous_token(self):
          token = self.account.create_oauth_token(
              token_name=SESSION_TOKEN_NAME, scope=TokenScope.WEB_LOGIN)
--
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
++        with readonly_enabled():
++            self.client.login(
++                username=self.email, password=DEFAULT_USER_PASSWORD)
          self.assertEqual(
              self.client.session.get(SESSION_TOKEN_KEY), token.key)
 === modified file 'src/identityprovider/tests/utils.py'
 --- src/identityprovider/tests/utils.py	2018-05-25 21:49:46 +0000
 +++ src/identityprovider/tests/utils.py	2019-10-22 14:04:10 +0000
@@ -1,4 +1,4 @@
--# Copyright 2010-2013 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  import base64
@@ -10,6 +10,7 @@
  import threading
  import urllib
  import urllib2
++from contextlib import contextmanager
  from cStringIO import StringIO
  from datetime import timedelta
  from importlib import import_module
@@ -33,6 +34,7 @@
  # same logic as prod systems
  from identityprovider import crypto, signed, signals  # noqa
  from identityprovider.macaroon import MacaroonRequest
++from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_USER_PASSWORD
  from identityprovider.tests.factory import SSOObjectFactory
  from identityprovider.utils import generate_random_string
@@ -532,3 +534,13 @@
          self.assertIsInstance(thrown_exceptions[0], OperationalError)
          self.assertIn(
              "could not obtain lock on row", str(thrown_exceptions[0]))
++
++
++@contextmanager
++def readonly_enabled():
++    rm = ReadOnlyManager()
++    rm.set_readonly()
++    try:
++        yield
++    finally:
++        rm.clear_readonly()
 === modified file 'src/identityprovider/urls.py'
 --- src/identityprovider/urls.py	2018-02-15 11:27:21 +0000
 +++ src/identityprovider/urls.py	2019-10-22 14:04:10 +0000
@@ -5,11 +5,6 @@
  from django.conf.urls import include, url
  from django.views.generic import RedirectView
--from identityprovider.views.readonly import (
--    readonly_admin,
--    readonly_confirm,
--    readonly_data,
--)
  from identityprovider.views.server import (
      cancel,
      decide,
@@ -55,13 +50,6 @@
          RedirectView.as_view(url='/+id/%(identifier)s', permanent=False)),
+ ]
--urlpatterns += [
--    url(r'^readonly$', readonly_admin),
--    url(r'^readonly/((?P<appserver>[A-Za-z0-9\-_.:]+)/)?'
--        r'(?P<action>set|clear)', readonly_confirm),
--    url(r'^readonlydata$', readonly_data, name='readonly-data'),
--]
--
  if settings.DEBUG:
      urlpatterns += [
          url(r'^i18n/', include('django.conf.urls.i18n')),
 === removed file 'src/identityprovider/views/readonly.py'
 --- src/identityprovider/views/readonly.py	2018-02-09 20:56:16 +0000
 +++ src/identityprovider/views/readonly.py	1970-01-01 00:00:00 +0000
@@ -1,64 +0,0 @@
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
--# GNU Affero General Public License version 3 (see the file LICENSE).
--
--import json
--import logging
--
--from django.conf import settings
--from django.contrib.admin.views.decorators import staff_member_required
--from django.http import Http404, HttpResponse, HttpResponseRedirect
--from django.shortcuts import render
--from django.views.decorators.csrf import csrf_exempt
--from django.views.decorators.http import require_POST
--
--from identityprovider.readonly import (
--    ReadOnlyManager,
--    get_server_atts,
--    update_server,
--)
--
--
--logger = logging.getLogger(__name__)
--
--
--@staff_member_required
--def readonly_admin(request):
--    atts = get_server_atts(settings.APP_SERVERS)
--    return render(request, 'admin/readonly.html', atts)
--
--
--@staff_member_required
--def readonly_confirm(request, action, appserver=None):
--    if request.method == 'POST':
--        update_server(action, appserver)
--        return HttpResponseRedirect('/readonly')
--    context = {
--        'appserver': appserver,
--        'action': action,
--    }
--    return render(request, 'admin/readonly_confirm.html', context)
--
--
--@csrf_exempt
--@require_POST
--def readonly_data(request):
--    """Provides data about the readonly status of this app server."""
--
--    secret = request.POST.get('secret')
--    if secret != settings.READONLY_SECRET:
--        logger.warning(
--            'readonly_data request received with incorrect secret %r', secret)
--        raise Http404()
--
--    action = request.POST.get('action')
--    romanager = ReadOnlyManager()
--
--    if action == 'set':
--        romanager.set_readonly()
--    elif action == 'clear':
--        romanager.clear_readonly()
--
--    result = {
--        'readonly': settings.READ_ONLY_MODE,
--    }
--    return HttpResponse(json.dumps(result))
 === modified file 'src/webui/tests/test_templates.py'
 --- src/webui/tests/test_templates.py	2018-05-28 20:15:33 +0000
 +++ src/webui/tests/test_templates.py	2019-10-22 14:04:10 +0000
@@ -6,10 +6,10 @@
  from pyquery import PyQuery
  from identityprovider.models.openidmodels import OpenIDRPConfig
--from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests.utils import (
      AuthenticatedTestCase,
      SSOBaseTestCase,
++    readonly_enabled,
+ )
@@ -99,11 +99,8 @@
          self.assertContains(response, "data-qa-id=\"create_account_form\"")
      def test_login_without_create_account_form(self):
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        response = self.client.get('/+login')
++        with readonly_enabled():
++            response = self.client.get('/+login')
          self.assertNotContains(response, "data-qa-id=\"create_account_form\"")
 === modified file 'src/webui/tests/test_views_account.py'
 --- src/webui/tests/test_views_account.py	2019-06-18 20:13:31 +0000
 +++ src/webui/tests/test_views_account.py	2019-10-22 14:04:10 +0000
@@ -1,4 +1,4 @@
--# Copyright 2010-2017 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  from __future__ import unicode_literals
@@ -41,6 +41,7 @@
      AuthenticatedTestCase,
      SSOBaseTestCase,
      assert_exhausted_warning,
++    readonly_enabled,
+ )
  from identityprovider.views.testing import MockLaunchpad
  from webui import decorators
@@ -268,6 +269,17 @@
          r = self.client.post(self.url, data)
          self.assertEqual(r.status_code, 302)
++    def test_index_edit_displayname_disabled_when_readonly(self):
++        old_displayname = self.account.displayname
++        data = {'displayname': "New Display Name",
++                'preferred_email': self.account.preferredemail.id,
++                'oldpassword': DEFAULT_USER_PASSWORD}
++        with readonly_enabled():
++            r = self.client.post(self.url, data)
++        self.account.refresh_from_db()
++        self.assertEqual(r.status_code, 200)
++        self.assertEqual(old_displayname, self.account.displayname)
++
      def test_index_edit_displayname_no_email(self):
          data = {'displayname': "New Display Name",
                  'preferred_email': self.account.preferredemail.id,
@@ -427,6 +439,14 @@
          r = self.client.get(self.url)
          self.assertContains(r, 'value="%s"' % bad_username)
++    @switches(USERNAME_UI=True)
++    def test_edit_username_disabled_when_readonly(self):
++        with readonly_enabled():
++            r = self.post_username_change('new-username')
++        self.account.refresh_from_db()
++        self.assertEqual(r.status_code, 200)
++        self.assertIsNone(self.account.person)
++
      def test_index_edit_password(self):
          oauth_tokens = self.account.token_set.all()
          # web login token should be there
@@ -548,6 +568,23 @@
                               {'newemail': "very-new-email@example.com"})
          self.assertEqual(r.status_code, 200)
++    def test_new_email_get_disabled_when_readonly(self):
++        with readonly_enabled():
++            r = self.client.get(reverse('new_email'))
++
++        self.assertEqual(r.status_code, 403)
++        self.assertTemplateUsed(r, 'readonly.html')
++
++    def test_new_email_post_disabled_when_readonly(self):
++        with readonly_enabled():
++            r = self.client.post(
++                reverse('new_email'),
++                {'newemail': "very-new-email@example.com"},
++            )
++
++        self.assertEqual(r.status_code, 403)
++        self.assertTemplateUsed(r, 'readonly.html')
++
      def test_new_email_post_with_token(self):
          url = reverse('new_email', kwargs=dict(token='thisissuperrando'))
          self.client.post(url, {'newemail': "very-new-email@example.com"})
@@ -695,6 +732,13 @@
          self.assertContains(
              response, 'Your Ubuntu One account has now been deleted')
++    def test_delete_view_disabled_when_readonly(self):
++        data = {'password': DEFAULT_USER_PASSWORD}
++        with readonly_enabled():
++            self.client.post('/+delete', data)
++        account = Account.objects.get(id=self.account.id)
++        self.assertNotEqual(account.status, AccountStatus.DELETED)
++
      def test_confirm_password_before_changing(self):
          oauth_tokens = self.account.token_set.all()
          # web login token should be there
@@ -1158,7 +1202,24 @@
          r = self.client.get(reverse('applications'))
          self.assertTemplateUsed(r, 'account/applications.html')
--    def test_account_without_applications_does_not_renders_token_table(self):
++    def test_applications_get_disabled_when_readonly(self):
++        with readonly_enabled():
++            r = self.client.get(reverse('applications'))
++
++        self.assertEqual(r.status_code, 403)
++        self.assertTemplateUsed(r, 'readonly.html')
++
++    def test_applications_post_disabled_when_readonly(self):
++        token = self.account.create_v1_oauth_token("Token-1")
++
++        with readonly_enabled():
++            r = self.client.post(
++                reverse('applications'), {'token_id': token.pk}, follow=True)
++
++        self.assertEqual(r.status_code, 403)
++        self.assertTemplateUsed(r, 'readonly.html')
++
++    def test_account_without_applications_does_not_render_token_table(self):
          r = self.client.get(reverse('applications'))
          # since user is logged in, the web login token exists, but we don't
          # want to list it
@@ -1181,7 +1242,7 @@
                  reverse('applications'), {'token_id': t.pk}, follow=True)
              self.assertNotContains(r, t.pk)
--    def test_revoking_token_which_does_not_belogs_to_an_account(self):
++    def test_revoking_token_which_does_not_belong_to_an_account(self):
          account = self.factory.make_account(email="foo@x.com")
          token = account.create_oauth_token("Token")
 === modified file 'src/webui/tests/test_views_registration.py'
 --- src/webui/tests/test_views_registration.py	2019-06-18 20:13:31 +0000
 +++ src/webui/tests/test_views_registration.py	2019-10-22 14:04:10 +0000
@@ -1,6 +1,6 @@
  # coding: utf-8
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  from __future__ import unicode_literals
@@ -33,7 +33,11 @@
      AuthenticationDevice,
+ )
  from identityprovider.tests import DEFAULT_USER_PASSWORD
--from identityprovider.tests.utils import SSOBaseTestCase, TimelineActionMixin
++from identityprovider.tests.utils import (
++    SSOBaseTestCase,
++    TimelineActionMixin,
++    readonly_enabled,
++)
  from webui.constants import (
      EMAIL_EXISTS_ERROR,
@@ -153,6 +157,13 @@
              'Please tell us your full name and choose a username and password:'
+         )
++    def test_get_when_readonly(self):
++        with readonly_enabled():
++            response = self.client.get(self.URL)
++
++        self.assertEqual(response.status_code, 403)
++        self.assertTemplateUsed(response, 'readonly.html')
++
      def test_head(self):
          request = self.factory.make_request(
              self.URL, method='HEAD', user=AnonymousUser(),
@@ -216,6 +227,13 @@
          self.assertEqual(
              response.request.session['token_email'], self.TESTDATA['email'])
++    def test_post_disabled_when_readonly(self):
++        with readonly_enabled():
++            response = self.client.post(self.URL, **self.TESTDATA)
++
++        self.assertEqual(response.status_code, 403)
++        self.assertTemplateUsed(response, 'readonly.html')
++
      @switches(USERNAME_UI=True)
      @override_settings(LP_API_URL='test.com')
      def test_post_success_with_username_with_feature_flag_enabled(self):
@@ -502,6 +520,12 @@
          self.assertEqual(ctx['form']['email'].value(), 'test@test.com')
          self.assertTemplateUsed(response, 'registration/forgot_password.html')
++    def test_when_readonly(self):
++        with readonly_enabled():
++            response = self.get()
++        self.assertEqual(response.status_code, 403)
++        self.assertTemplateUsed(response, 'readonly.html')
++
      def test_post_with_initial_data(self):
          data = dict(email='test@test.com', forgot_password='')
          response = self.post(data=data)
@@ -624,6 +648,12 @@
          self.assert_form_displayed(response, __all__=ERROR_TOO_MANY_REQUESTS)
          self.assert_stat_calls(['error.too_many_requests'])
++    def test_post_disabled_when_readonly(self):
++        with readonly_enabled():
++            response = self.post(data=self.data)
++        self.assertEqual(response.status_code, 403)
++        self.assertTemplateUsed(response, 'readonly.html')
++
      def test_method_not_allowed(self):
          response = self.put(data=self.data)
          self.assertEqual(response.status_code, 405)
 === modified file 'src/webui/tests/test_views_ui.py'
 --- src/webui/tests/test_views_ui.py	2019-05-10 19:53:55 +0000
 +++ src/webui/tests/test_views_ui.py	2019-10-22 14:04:10 +0000
@@ -1,6 +1,6 @@
  # coding: utf-8
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  from __future__ import unicode_literals
@@ -55,12 +55,12 @@
      AuthTokenType,
      EmailStatus,
+ )
--from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_USER_PASSWORD
  from identityprovider.tests.test_auth import AuthLogTestCaseMixin
  from identityprovider.tests.utils import (
      SSOBaseTestCase,
      TimelineActionMixin,
++    readonly_enabled,
+ )
  from identityprovider.utils import generate_random_string
  from identityprovider.validators import PASSWORD_LEAKED
@@ -136,6 +136,20 @@
          self.assertEqual(len(mail.outbox), 1)
++class ReadOnlyViewsTestCase(BaseTestCase):
++
++    def test_new_account_disabled_when_readonly(self):
++        self.account.status = AccountStatus.ACTIVE
++        self.account.save()
++
++        with readonly_enabled():
++            r = self.post_new_account(email=self.email)
++
++        self.assertEqual(r.status_code, 403)
++        self.assertEqual(len(mail.outbox), 0)
++        self.assertTemplateUsed(r, 'readonly.html')
++
++
  class UIViewsBaseTestCase(BaseTestCase):
      def setUp(self):
@@ -1518,11 +1532,7 @@
      def test_twofactor_login_disabled_when_readonly(self):
          self.mock_site.return_value = False
--        rm = ReadOnlyManager()
--        rm.set_readonly()
--        self.addCleanup(rm.clear_readonly)
--
--        with switches(TWOFACTOR=True):
++        with switches(TWOFACTOR=True), readonly_enabled():
              self.do_login()
              response = self.client.get(self.url)
          self.assertEqual(response.status_code, 404)